[Samba] [SOLVED] profile question

Cybionet cybionet at videotron.ca
Sun Jul 23 15:20:03 GMT 2006

Geating Eric,

Return of this conversation on the mailing list :-) and in english.

I'm sure that will not work that's way. When a "Domain Admins" member 
will modify a file or directory, this file will be owned by the member 
and not by the user of this profile. Windows client will be generate an 
error during profile transfert. Like I have say in PV, you need to 
execute setfacl -R -m u:<profile_user>::r-x /share/profiles/<profile_user>.

The root postexec parameter will use server ressources unnessarely. With 
the way I say in PV, just apply these lines at the creation of profile user:

setfacl -R -m u:<profile_user>::r-x /share/profiles/<profile_user>
setfacl -R -d -m u:<profile_user>::r-x /share/profiles/<profile_user>

setfacl -R -m g:"Domain Admins":rwx /share/profiles/<profile_user>
setfacl -R -d -m g:"Domain Admins":rwx /share/profiles/<profile_user>

No root postexec is need, and you can surely make some mod to include it 
in the idealix script or create your own script.


> hello
> i solved my problem.
> i wanted a manager to be able to modify files in the users' profiles 
> from his windows workstation.
> The solution i found is with adding this lige to the profiles share 
> bloc in smb.conf :
> root postexec = setfacl -R -m g:"Domain Admins":rwx /share/profiles/%U
> regards
> -------- Message original --------
> Sujet: profile question
> Date: Tue, 18 Jul 2006 18:52:07 +0200
> De: éric le hénaff <eric.le.henaff at ens.fr>
> Forums de discussion: gmane.network.samba.general
> hello,
> i have a profile question
> here under is my profile definition. it's nothing more than the one from
> the idealx samba howto.
> profiles just work fine on my box BUT i want more ...
> i want a manager to have read/write acces on every users' profile
> subdirectory for troubleshooting from his windows workstation with
> invoking \\server\profiles. he's in the domain admins.
> How to do that
> Thank you for any help, i tried different scenarios (samba tweaking,
> acls inheritance and so on) for an afternoon and didnt find one working.
> [profiles]
> path = /home/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = yes
> csc policy = disable
> # next line is a great way to secure the profiles
> force user = %U
> # next line allows administrator to access all profiles
> valid users = %U @"Domain Admins"

More information about the samba mailing list